How to Encrypt Properly with RSA

Transcription

1 RSA Laboatoies CyptoBytes. Volume 5, No. 1 Winte/Sping 2002, pages ow to Encypt Popely with RSA David Pointcheval Dépt d Infomatique, ENS CNRS, 45 ue d Ulm, Pais Cedex 05, Fance URL: Abstact. In 1993, Bellae and Rogaway fomalized the concept of a andom oacle, impoted fom complexity theoy fo cyptogaphic puposes. This new tool allowed them to pesent seveal asymmetic encyption and signatue schemes that ae both efficient and povably secue (in the andom oacle model). The Optimal Asymmetic Encyption Padding (OAEP) is the most significant application of the andom oacle model to date. It gives an efficient RSA encyption scheme with a stong secuity guaantee (semantic secuity against chosen-ciphetext attacks). Afte Bleichenbache s devastating attack on RSA PKCS #1 v1.5 in 1998, RSA OAEP became the natual successo (RSA PKCS #1 v2.0) and thus a de facto intenational standad. Supisingly, Shoup ecently showed that the oiginal poof of secuity fo OAEP is incoect. Without a poof, RSA OAEP cannot be tusted to povide an adequate level of secuity. Luckily, shotly afte Shoup s discovey a fomal and complete poof was found in joint wok by the autho and othes that eaffimed the stong level of secuity povided by RSA OAEP. oweve, this new secuity poof still does not guaantee secuity fo key sizes used in pactice due to the inefficiency of the secuity eduction (the eduction to inveting RSA takes quadatic time). Recent altenatives to OAEP, such as OAEP +, SAEP +, and REACT, admit moe efficient poofs and thus povide adequate secuity fo key sizes used in pactice. 1 Asymmetic Encyption In 1978, Rivest, Shami, and Adleman poposed the fist candidate tapdoo pemutation [30]. A tapdoo pemutation pimitive is a function f that anyone can compute efficiently; howeve, inveting f is had unless we ae also given some tapdoo infomation. iven the tapdoo infomation, inveting f becomes easy. Naively, a tapdoo pemutation defines a simple public key encyption scheme: the desciption of f is the public key and the tapdoo is the secet key. Unfotunately, encyption in this naive public key system is deteministic and hence cannot be secue, as discussed below. Befoe we can claim that a cyptosystem is secue (o insecue) we must pecisely define what secuity actually means. The fomalization of secuity notions stated aound the time when RSA was poposed and took seveal yeas to convege (see [18] fo a suvey on this topic). Today, the accepted secuity equiement fo an encyption scheme is called semantic secuity against an adaptive chosen-ciphetext attack [29] o IND CCA fo shot. To undestand this concept we point out that secuity is always defined in tems of two paametes: (1) the attacke s capabilities, namely what the attacke can do duing the attack, and (2) the attacke s goals, namely what the attacke is tying to do. 1. Attacke s capabilities: The stongest attacke capability in the standad model is called adaptive chosen-ciphetext attack and is denoted by (CCA) [29]. This means that the advesay has the ability to decypt any ciphetext of his choice except fo some challenge ciphetext (imagine the attacke is able to exploit a decyption box that will decypt anything except fo some known challenge ciphetext). c RSA Secuity Inc

2 2 2. Attacke s goal: The standad secuity goal is called semantic secuity [19] (also known as indistinguishability of ciphetexts ), and is denoted by (IND). Roughly speaking, the attacke s goal is to deduce just one bit of infomation about the decyption of some given ciphetext. We say that a system is semantically secue if no efficient attacke can achieve this goal. We note that a deteministic encyption algoithm can neve give semantic secuity. An encyption scheme that is semantically secue unde an adaptive chosen-ciphetext attack is said to be IND CCA secue. IND CCA secuity implies that even with full access to the decyption oacle, the attacke is not able to deduce one bit of infomation about the decyption of a given challenge ciphetext. IND CCA may seem vey stong, but such attacks ae possible in some eal wold scenaios. In fact, CCAlike attacks have been used to beak pactical implementations, as we will see late. Futhemoe, semantic secuity is equied fo high confidentiality, namely when the message space is limited (such as yes o no, buy o sell ). As a consequence, IND CCA is accepted as the equied secuity level fo pactical encyption schemes. One can obtain many othe secuity notions by combining diffeent attacke goals with vaious attacke capabilities. Fo example, anothe secuity goal is called nonmalleability [15, 7]. ee the attacke is given some ciphetext and his goal is to build anothe ciphetext such that the plaintexts ae meaningfully elated. Non-malleability is known to be equivalent to semantic secuity unde an adaptive chosen-ciphetext attack [3]. Fo this eason, IND CCA secuity is sometimes called non-malleability. Similaly, one can also conside diffeent attacke capabilities based on the oacles given to the attacke [25, 29, 9, 20, 26]. As mentioned above, the most poweful attacke capability in the classical model is the decyption oacle itself, which decypts any ciphetext (except the challenge ciphetext). This classical model gives the cyptogaphic engine to the advesay as a black box to which he can make queies and eceive coect answes in constant time. It thus excludes timing attacks [21], simple and diffeential powe analyses [22] as well, and othe diffeential fault analyses [8, 12]. 2 The RSA-based Cyptosystems 2.1 The Plain RSA The RSA pemutation, poposed by Rivest, Shami and Adleman [30], is the most well known tapdoo pemutation. Its one-wayness is believed to be as stong as intege factoization. The RSA setup consists of choosing two lage pime numbes p and q, and computing the RSA modulus n = pq. The public key is n togethe with an exponent e (elatively pime to ϕ(n) = (p 1)(q 1)). The secet key d is defined to be the invese of e modulo ϕ(n). Encyption and decyption is defined as follows: E n,e (m) = m e mod n D n,d (c) = c d mod n. This pimitive does not povide by itself an IND CCA secue encyption scheme. Unde a slightly stonge assumption than the intactability of the intege factoization, it gives a cyptosystem that is only one-way unde chosen-plaintext attacks a vey weak level of secuity. Semantic secuity fails because encyption is deteministic. Even wose, unde a CCA attack, the attacke can fully decypt a challenge ciphetext C = m e mod n using the homomophic popety of RSA: E n,e (m 1 ) E n,e (m 2 ) = E n,e (m 1 m 2 mod n) mod n.

3 To decypt C = m e mod n using a CCA attack do: (1) compute C = C 2 e mod n, (2) give C ( C) to the decyption oacle, and (3) the oacle etuns 2m mod n fom which the advesay can deduce m. To ovecome RSA this simple CCA attack, pactical RSA-based cyptosystems andomly pad the plaintext pio to encyption. This andomizes the ciphetext and eliminates the homomophic popety The RSA PKCS #1 v1.5 Encyption A widely deployed padding fo RSA-based encyption is defined in the PKCS #1 v1.5 standad: fo any modulus 2 8(k 1) n < 2 8k, in ode to encypt an l byte-long message m (fo l k 11), one andomly chooses a k 3 l byte-long andom sting (with only non-zeo bytes). Then, one defines the k-byte long sting M = 02 0 m (see figue 1) which is theeafte encypted with the RSA pemutation, C = M e mod n. When decypting a ciphetext C, the decypto applies RSA invesion by computing M = C d mod n and then checks that the esult M matches the expected fomat 02 * 0 *. If so, the decypto outputs the last pat as the plaintext. Othewise, the ciphetext is ejected. 0 2 non-zeo bytes 0 m moe than 8 bytes Fig. 1. PKCS #1 v1.5 Fomat Intuitively, this padding seems sufficient to ule out the above weaknesses of the plain RSA system, but without any fomal poof o guaantee. Supisingly, in 1998, Bleichenbache [9] showed that a simple active attack can completely beak RSA PKCS #1. This attack applies to eal systems such as a Web seve using SSL v3.0. These seves often output a specific failue message in case of an invalid ciphetext. This enables an attacke to test whethe the two most significant bytes of a challenge ciphetext C ae equal to 02. If so, the attacke leans the following bound on the decyption of C: 2 2 8(k 2) C d mod n < 3 2 8(k 2). Due to the andom self-educibility of the RSA pemutation, in paticula the homomophism Cs e = M e s e = (Ms) e mod n, the complete decyption of C can be ecoveed afte a elatively small numbe of queies. Only a few million queies ae needed with a 1024-bit modulus. Bleichenbache s attack had an impact on many pactical systems and standads bodies, which suddenly became awae of the impotance of fomal secuity aguments. Nevetheless, the weak PKCS #1 v1.5 padding is still used in the TLS potocol [33]. The TLS specification now appeas to defend against Bleichenbache s attack using a technique fo which no poof of secuity has yet been published. Cetain simple attacks ae still possible (fo example, plaintext-checking attacks [26] can be easily un, even if they seem ineffective). The lesson hee is that standads should ely as much as possible on fully analyzed constuctions and avoid ad-hoc techniques.

4 4 3 The Optimal Asymmetic Encyption Padding Fo some time, people have tied to povide secuity poofs fo cyptogaphic potocols in the eductionist sense [10]. To do so, one pesents an algoithm that uses an effective advesay as a sub-pogam to beak some undelying hadness assumption (such as the RSA assumption, o the intactability of the intege factoization). Such an algoithm is called a eduction. This eduction is said to be efficient, oughly speaking, if it does not equie too many calls to the sub-pogam. 3.1 The Random Oacle Model A few yeas ago, a new line of eseach stated with the goal of combining povable secuity with efficiency, still in the eductionist sense. To achieve this goal, Bellae and Rogaway [4] fomalized a heuistic suggested by Fiat and Shami [16]. This heuistic consisted in making an idealized assumption about some objects, such as hash functions, accoding to which they wee assumed to behave like tuly andom functions. This assumption, known as the andom oacle model, may seem stong, and lacking in pactical embodiments. In fact, Canetti et al. [13] gave an example of a signatue scheme which is secue in the andom oacle model, but insecue unde any instantiation of the andom oacle. oweve, one can also conside andom-oacle-based poofs unde the assumption that the advesay is geneic, whateve the actual implementation of the hash function o othe idealized algoithms may be. In othe wods, we may assume that the advesay does/can not use any specific weakness of the hash functions used in pactice. Thanks to this ideal assumption, seveal efficient encyption and signatue schemes have been analyzed [5, 6, 27]. We emphasize that even fomal analyses in the andom oacle model ae not stong secuity poofs, because of the undelying ideal assumption. They do, howeve, povide stong evidence fo secuity and can futhemoe seve as the basis fo quite efficient schemes. Since people do not often want to pay moe than a negligible pice fo secuity, such an agument fo pactical schemes is moe useful than fomal secuity poofs fo inefficient schemes. m 0 k 1 s t Fig. 2. OAEP Padding

5 5 3.2 Desciption of OAEP At the time Bleichenbache published his attack on RSA PKCS #1 v1.5, the only efficient and povably secue encyption scheme based on RSA was the Optimal Asymmetic Encyption Padding (OAEP) poposed by Bellae and Rogaway [5]. OAEP can be used with any tapdoo pemutation f. To encypt a message m using the encyption scheme f OAEP, fist apply the OAEP pocedue descibed in Figue 2 ee is a andom sting and, ae hash functions. The esulting values [s t] ae then encypted using f, namely C = f(s, t). Bellae and Rogaway poved that OAEP padding used with any tapdoo pemutation f povides a semantically secue encyption scheme. By adding some edundancy (the constant value 0 k 1 at the end of the message, as shown in Figue 2), they futhemoe poved it to be weakly plaintext-awae. Plaintext-awaeness is a popety of encyption schemes in the andom oacle model which means that thee exists a plaintext-extacto able to simulate the decyption oacle on any ciphetext (valid o not) designed by the advesay. The weak pat in the definition poposed by Bellae and Rogaway was that the plaintext-extaction was just equied to wok while the advesay had not eceived any valid ciphetext fom any souce. Unfotunately, the adaptive chosen-ciphetext attack model gives the advesay a full-time access to the decyption oacle, even afte eceiving the challenge ciphetext about which the advesay wants to lean infomation. This challenge is a valid ciphetext. Theefoe, semantic secuity togethe with weak plaintext-awaeness only implies the semantic secuity against non-adaptive chosen-ciphetext attacks (a.k.a. lunchtime attacks [25], o indiffeent chosen-ciphetext attacks), whee the decyption oacle access is limited until the advesay has eceived the challenge ciphetext. In 1998, Bellae, Desai, Rogaway and the autho [3] coected this initial definition of plaintext-awaeness, equiing the existence of a plaintext-extacto able to simulate the decyption oacle on any ciphetext submitted by the advesay, even afte seeing some valid ciphetexts not encypted by the advesay himself. This stonge definition is a moe accuate model of the eal wold, whee the advesay may have access to ciphetexts via eavesdopping. We futhemoe poved that this new popety (which can only be defined in the andom oacle model) actually povides the encyption scheme with the stongest secuity level, namely semantic secuity against (adaptive) chosen-ciphetext attacks (IND CCA). oweve, no one eve povided OAEP with such a new plaintext-extacto. Theefoe, even if eveybody believed in the stong secuity level of OAEP, it had neve been poven IND CCA unde the one-wayness of the pemutation alone. 3.3 The OAEP Secuity Analyses In fact, the only fomally poven secuity esult about OAEP was its semantic secuity against lunchtime attacks, assuming the one-wayness of the undelying pemutation. Until vey ecently OAEP was widely believed to also be IND CCA. Shoup s Result Shoup [32] ecently showed that it was quite unlikely that OAEP is IND CCA assuming only the one-wayness of the undelying tapdoo pemutation. In fact, he showed that if thee exists a tapdoo one-way pemutation g fo which it is easy to compute g(x a) fom g(x) and a, then OAEP cannot be IND CCA secue fo an abitay tapdoo pemutation f. Refeing to this special popety of g as XOR malleability, let us biefly pesent Shoup s counte-example. Let s t denote

6 6 the output of the OAEP tansfomation on a plaintext message m. Define the oneway pemutation f as f(s t) = s g(t). Then encypting m using f OAEP gives the ciphetext C = [s g(t)]. What Shoup showed is that unde these conditions the advesay can use C to constuct a ciphetext C of a plaintext message m that is closely elated to the message m. In paticula, fo any sting δ, the advesay can constuct C which is the encyption of m = m δ. Thus, the scheme is malleable and hence not IND CCA giving C to the decyption oacle will eveal m = m δ, fom which the advesay can obtain m. m 0 k 1 m 0 k 1 s t s t (s) (s ) Fig. 3. Shoup s Attack To constuct C, the idea is fo the advesay to exploit the explicit appeaance of s in the ciphetext C. The advesay fist computes s = s, whee = δ 0 k 1 ; essentially, is simply a padded endeing of δ. The advesay then computes D = (s) (s ) using explicit knowledge of s and s and access to the andom oacle fo. Finally, by exploiting the XOR malleability of g, the advesay computes g(t ), whee t = t D. It is easy to see now that C = s g(t ) is a valid encyption of the message m. ence, the non-malleability of f OAEP is boken. This obsevation shows that it is unlikely that one can pove that f OAEP is IND CCA secue fo abitay tapdoo pemutations f by assuming only the one-wayness of f. Repaiing the OAEP Poof of Secuity To constuct a valid ciphetext C in the above attack it seems that the advesay has to quey the hash function at (s). But this seems to imply that given C the advesay can figue out the value s used to ceate C (ecall that s is the left hand side of f 1 (C)). Thus, it appeas that in ode to mount Shoup s attack the advesay must be able patly to invet f given f(s, t), the advesay must be able to expose s. We say f is patial-domain one-way if no efficient algoithm can deduce s fom C = f(s, t). Fo such tapdoo pemutations f, one could hope that Shoup s attack will fail and that f OAEP is IND CCA secue. Fujisaki, Okamoto, Sten and the autho [17] fomally poved this fact: If f is patial-domain one-way, then f OAEP is IND CCA secue. We note that patial-domain one-wayness is a stonge popety than onewayness: a function might be one-way but still not patial-domain one-way. Fotunately, the homomophic popeties of RSA enable us to pove that the RSA pemutation is patial-domain one-way if and only if RSA is one-way. Moe pecisely,

7 an algoithm that can expose half of RSA 1 (C) given C can be used to completely invet the RSA pemutation. Altogethe, this poves the widely believed IND CCA secuity of RSA OAEP assuming that RSA is a tapdoo pemutation. Fo secuity paametes, and t (whose fomal definitions ae omitted hee), we obtain the following esult [17]: Let A be a CCA-advesay against the semantic secuity of RSA OAEP with unning time bounded by t and advantage ε. Then, the RSA function can be inveted with pobability geate than appoximately ε 2 /4 within time bound 2t. Unfotunately, the secuity eduction fom an RSA-invesion into an attack is quite inefficient fo pactical sizes (moe pecisely, it is quadatic in the numbe of oacle queies). ence, this eduction is meaningless unless one uses a modulus lage enough so that the RSA-invesion (o the factoization) equies much moe than computational effot. With cuent factoization techniques [23, 14], one needs to use a modulus of length moe than 4096 bits to make the eduction meaningful (see [24] fo complexity estimates of the most efficient factoing algoithms). Viewed anothe way, this eduction shows that a 1024-bit modulus just povides a povable secuity level of 2 40, which is clealy inadequate given cuently pevalent levels of computing powe. (We note, howeve, that this does not mean that thee is an attack with this low complexity, only that one cannot be uled out by the available poofs of secuity.) 4 OAEP Altenatives 4.1 The OAEP + Padding Shoup also poposed a fomal secuity poof of RSA OAEP with a much moe efficient secuity eduction, but in the paticula case whee the encyption exponent e is equal to 3. oweve, many people believe that the RSA tapdoo pemutation with exponent 3 may be weake than with geate exponents. Theefoe, he also poposed a slightly modified vesion of OAEP, called OAEP + (see Figue 4), which can be poven secue unde the one-wayness of the pemutation alone. It uses the vaiable edundancy R(m, ) instead of the constant 0 k 1. It is thus a bit moe inticate than the oiginal OAEP. The secuity eduction fo OAEP + is efficient, but still uns in quadatic time. 7 m R m m R(m, ) R m R(m, ) R(m, ) s t s OAEP + padding SAEP + padding Fig. 4. OAEP + and SAEP + Paddings

8 8 4.2 SAEP + Padding Boneh [11] ecently poposed a new padding scheme, SAEP +, to be used with the Rabin pimitive [28] o RSA. It is simple than OAEP, hence the name Simplified Asymmetic Encyption Padding: wheeas OAEP is a two-ound Feistel netwok, SAEP + is a singleound. SAEP + has a linea time eduction fo the Rabin system (i.e., e = 2). Fo lage exponents, SAEP + has a quadatic time eduction. ence, fo lage exponents (e > 2), SAEP + does not guaantee secuity fo pactical paametes (less than two thousand bits). 4.3 The REACT Constuction Anothe altenative to OAEP is the REACT constuction, poposed by Okamoto and the autho [26] (see Figue 5). It povides an IND CCA encyption scheme fom any m m SymE RSA RSA C 1 C 2 C 3 C 1 C 2 C 3 Basic encyption ybid encyption Fig. 5. REACT weakly secue one (moe pecisely, a one-way pimitive, against plaintext-checking attacks), such as the RSA pimitive. Theefoe, the RSA REACT scheme is IND CCA secue unde the RSA assumption. Futhemoe, the secuity eduction is vey efficient, since it is in linea time without any loss in the success pobability, whateve the exponent. Consequently, it guaantees pefect equivalence with RSA invesion fo moduli which equie just a bit moe than 2 70 effot to be factoed. This is the case fo 1024 bit-long moduli, the minimal cuently advised key size. In compaison to pevious poposals, REACT is a full scheme and not just a pue padding applied to the message befoe the RSA function. Consequently, the ciphetext is a bit longe. oweve, even when used fo key tanspot, it allows integation of a symmetic encyption scheme (SymE) to achieve vey high encyption ates, as shown in the hybid constuction. In the specific case of RSA, REACT can be optimized, as explained below. 4.4 Simple RSA In an ISO epot [31], Shoup suggested a possible altenative, based on ideas fom Bellae and Rogaway [4] that povide a secue encyption scheme fom any tapdoo one-way pemutation f. Roughly speaking, simple RSA, as it is called, consists of fist encypting a andom sting using f to obtain C 0 (thus C 0 = e mod n), and then pasing () as k 0 k 1, whee is some hash function (modeled by a andom oacle). Theeafte, one encypts the message m using a symmetic encyption scheme

Chapte 3 Savings, Pesent Value and Ricadian Equivalence Chapte Oveview In the pevious chapte we studied the decision of households to supply hous to the labo maket. This decision was a static decision,

3.4. KEPLER S LAWS 145 3.4 Keple s laws You ae familia with the idea that one can solve some mechanics poblems using only consevation of enegy and (linea) momentum. Thus, some of what we see as objects

Retiement Benefit 1 Things to Remembe Complete all of the sections on the Retiement Benefit fom that apply to you equest. If this is an initial equest, and not a change in a cuent distibution, emembe to

AN IMPLEMENTATION OF BINARY AND FLOATING POINT CHROMOSOME REPRESENTATION IN GENETIC ALGORITHM Main Golub Faculty of Electical Engineeing and Computing, Univesity of Zageb Depatment of Electonics, Micoelectonics,

Valuation of Floating Rate onds 1 Joge uz Lopez us 316: Deivative Secuities his note explains how to value plain vanilla floating ate bonds. he pupose of this note is to link the concepts that you leaned

The Binomial Distibution A. It would be vey tedious if, evey time we had a slightly diffeent poblem, we had to detemine the pobability distibutions fom scatch. Luckily, thee ae enough similaities between

This is a revised version of the extended abstract RSA OAEP is Secure under the RSA Assumption which appeared in Advances in Cryptology Proceedings of CRYPTO 2001 (19 23 august 2001, Santa Barbara, California,

The impact of migation on the povision of UK public sevices (SRG.10.039.4) Final Repot Decembe 2011 The obustness The obustness of the analysis of the is analysis the esponsibility is the esponsibility

Fast FPT-algoithms fo cleaning gids Josep Diaz Dimitios M. Thilikos Abstact We conside the poblem that given a gaph G and a paamete k asks whethe the edit distance of G and a ectangula gid is at most k.

Episode 401: Newton s law of univesal gavitation This episode intoduces Newton s law of univesal gavitation fo point masses, and fo spheical masses, and gets students pactising calculations of the foce

An Intoduction to Omega Con Keating and William F. Shadwick These distibutions have the same mean and vaiance. Ae you indiffeent to thei isk-ewad chaacteistics? The Finance Development Cente 2002 1 Fom

Chapte Two Some text, some maths and going loopy In this Chapte you ae going to: Lean how to do some moe with text. Get Python to do some maths fo you. Lean about how loops wok. Lean lots of useful opeatos.

Mechanics : Motion in a Cental Foce Field We now stud the popeties of a paticle of (constant) ass oving in a paticula tpe of foce field, a cental foce field. Cental foces ae ve ipotant in phsics and engineeing.

Satuated and weakly satuated hypegaphs Algebaic Methods in Combinatoics, Lectues 6-7 Satuated hypegaphs Recall the following Definition. A family A P([n]) is said to be an antichain if we neve have A B

LAL Update ASSOCIATES OF CAPE COD, INCORPORATED OCTOBER 00 VOLUME 0, NO. Lette Fom the Pesident Dea LAL Use: This Update will claify some of the statistics used with tubidimetic and chomogenic LAL tests.

Dynamical Systems: Pat 2 2 Bifucation Theoy In pactical applications that involve diffeential equations it vey often happens that the diffeential equation contains paametes and the value of these paametes

Seshadi constants and sufaces of minimal degee Wioletta Syzdek and Tomasz Szembeg Septembe 29, 2007 Abstact In [] we showed that if the multiple point Seshadi constants of an ample line bundle on a smooth

VISCOSITY OF BIO-DIESEL FUELS One of the key assumptions fo ideal gases is that the motion of a given paticle is independent of any othe paticles in the system. With this assumption in place, one can use